This is an archive of the discontinued LLVM Phabricator instance.

Differential D62929

[GWP-ASan] Integration with Scudo [5].
ClosedPublic

Authored by hctim on Jun 5 2019, 1:13 PM.

Details

Reviewers
vlad.tsyrklevich
cryptoad
Commits
rG21184ec5c48c: [GWP-ASan] Integration with Scudo [5].
rCRT363584: [GWP-ASan] Integration with Scudo [5].
rL363584: [GWP-ASan] Integration with Scudo [5].
Summary

See D60593 for further information.

This patch adds GWP-ASan support to the Scudo hardened allocator. It also
implements end-to-end integration tests using Scudo as the backing allocator.
The tests include crash handling for buffer over/underflow as well as
use-after-free detection.

Diff Detail

Event Timeline

hctim created this revision.Jun 5 2019, 1:13 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptJun 5 2019, 1:14 PM
Herald added subscribers: llvm-commits, Restricted Project, mgorny, kubamracek. · View Herald Transcript
Harbormaster completed remote builds in B32956: Diff 203237.Jun 5 2019, 1:15 PM
cryptoad added a comment.Jun 5 2019, 2:07 PM

I think it's good from the integration perspective.
The only potential concern I have is the specific use of the TLS variables in GWP-ASan which might not work everywhere here (eg: if a platform is using emutls as TLS as it uses malloc() internally).
Have you tested that locally with an Android emulator?

compiler-rt/test/scudo/lit.cfg
54

nit: do you need the extra variable?

hctim added a comment.Jun 6 2019, 1:03 PM
In D62929#1531586, @cryptoad wrote:

The only potential concern I have is the specific use of the TLS variables in GWP-ASan which might not work everywhere here (eg: if a platform is using emutls as TLS as it uses malloc() internally).

GWP-ASan is not supported on platforms without initial exec TLS, and won't build there -- in which case, it won't be included in Scudo :)

Have you tested that locally with an Android emulator?

Not as of right now, but Q will support ELF TLS instead of emutls (https://developer.android.com/preview/features#elf-tls). Will take a look at this soon.

hctim updated this revision to Diff 203429.Jun 6 2019, 1:04 PM
hctim marked an inline comment as done.
  • Removed extra var in scudo lit cfg.
Harbormaster completed remote builds in B33022: Diff 203429.Jun 6 2019, 1:04 PM
cryptoad accepted this revision.Jun 6 2019, 2:05 PM
This revision is now accepted and ready to land.Jun 6 2019, 2:05 PM
vlad.tsyrklevich accepted this revision.Jun 7 2019, 2:09 PM
vlad.tsyrklevich added inline comments.
compiler-rt/lib/scudo/scudo_allocator.cpp
493

Just checking, does reallocate() have the same semantics as realloc() where NewSize == 0 means free? And does allocate(0) always return nullptr in that case?

compiler-rt/test/gwp_asan/invalid_free_left.cpp
4

This uses not while the others above use %expect_crash, you probably want %expect_crash here too and in the other places you use not?

hctim updated this revision to Diff 203840.Jun 10 2019, 9:14 AM
hctim marked 3 inline comments as done.
  • Added new realloc test, deleted dummy test.
compiler-rt/lib/scudo/scudo_allocator.cpp
493

Yep - have also added a unit test for this. Note that C++11 changed this behaviour, and made it implementation defined.

compiler-rt/test/gwp_asan/invalid_free_left.cpp
4

So at the moment, invalid free/double free are detected internally, and terminate through exit(EXIT_FAILURE). The tests with %expect_crash are the ones which terminate through a segv signal ($? == 127).

This is mirroring the behaviour of scudo, where they exit(EXIT_FAILURE) on checksum failure or other error conditions. What might be better though, is when we detect a failure condition internally, we raise a signal. This would allow platforms like Android to still have their special death handlers run.

@morehouse - WDYT? I would say that I'd prefer to raise a signal internally-detected error. I'm not sure that raising SEGV is appropriate here, and it would also increase the complexity of the logic (we'd have to reinstate the previous SEGV handler first). Maybe SIGTRAP or SIGABRT?

Harbormaster completed remote builds in B33137: Diff 203840.Jun 10 2019, 9:16 AM
morehouse added inline comments.Jun 10 2019, 10:25 AM
compiler-rt/test/gwp_asan/invalid_free_left.cpp
4

FWIW, we trigger a SEGV in Google3 by touching the freed page. Not sure if it's the best approach, but it simplified the error handling a bit. Allows everything to go through SEGV handler and then forward to the previous handers, rather than having to implement multiple flows for different errors. Also gives the address of the double-free to previous handlers for them to inspect.

hctim updated this revision to Diff 205118.Jun 17 2019, 10:40 AM

Merge master in preparation for submit.

Harbormaster completed remote builds in B33492: Diff 205118.Jun 17 2019, 10:42 AM
Closed by commit rL363584: [GWP-ASan] Integration with Scudo [5]. (authored by hctim). · Explain WhyJun 17 2019, 10:42 AM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: delcypher. · View Herald TranscriptJun 17 2019, 10:42 AM

Revision Contents

Diff 205118

compiler-rt/lib/scudo/CMakeLists.txt

Show All 24 Lines# android-changes-for-ndk-developers.md#changes-to-library-search-order
endif() endif()
endif() endif()
# The minimal Scudo runtime does not inlude the UBSan runtime. # The minimal Scudo runtime does not inlude the UBSan runtime.
set(SCUDO_MINIMAL_OBJECT_LIBS set(SCUDO_MINIMAL_OBJECT_LIBS
RTSanitizerCommonNoTermination RTSanitizerCommonNoTermination
RTSanitizerCommonLibc RTSanitizerCommonLibc
RTInterception) RTInterception)
if (COMPILER_RT_HAS_GWP_ASAN)
# Currently, Scudo uses the GwpAsan flag parser. This backs onto the flag
# parsing mechanism of sanitizer_common. Once Scudo has its own flag parsing,
# and parses GwpAsan options, you can remove this dependency.
list(APPEND SCUDO_MINIMAL_OBJECT_LIBS RTGwpAsan RTGwpAsanOptionsParser)
list(APPEND SCUDO_CFLAGS -DGWP_ASAN_HOOKS)
endif()
set(SCUDO_OBJECT_LIBS ${SCUDO_MINIMAL_OBJECT_LIBS}) set(SCUDO_OBJECT_LIBS ${SCUDO_MINIMAL_OBJECT_LIBS})
set(SCUDO_DYNAMIC_LIBS ${SCUDO_MINIMAL_DYNAMIC_LIBS}) set(SCUDO_DYNAMIC_LIBS ${SCUDO_MINIMAL_DYNAMIC_LIBS})
if (FUCHSIA) if (FUCHSIA)
list(APPEND SCUDO_CFLAGS -nostdinc++) list(APPEND SCUDO_CFLAGS -nostdinc++)
list(APPEND SCUDO_DYNAMIC_LINK_FLAGS -nostdlib++) list(APPEND SCUDO_DYNAMIC_LINK_FLAGS -nostdlib++)
else() else()
list(APPEND SCUDO_DYNAMIC_LIBS ${SANITIZER_CXX_ABI_LIBRARIES}) list(APPEND SCUDO_DYNAMIC_LIBS ${SANITIZER_CXX_ABI_LIBRARIES})
▲ Show 20 LinesShow All 102 LinesShow Last 20 Lines

compiler-rt/lib/scudo/scudo_allocator.cpp

Show All 19 Lines
#include "scudo_interface_internal.h" #include "scudo_interface_internal.h"
#include "scudo_tsd.h" #include "scudo_tsd.h"
#include "scudo_utils.h" #include "scudo_utils.h"
#include "sanitizer_common/sanitizer_allocator_checks.h" #include "sanitizer_common/sanitizer_allocator_checks.h"
#include "sanitizer_common/sanitizer_allocator_interface.h" #include "sanitizer_common/sanitizer_allocator_interface.h"
#include "sanitizer_common/sanitizer_quarantine.h" #include "sanitizer_common/sanitizer_quarantine.h"
#ifdef GWP_ASAN_HOOKS
# include "gwp_asan/guarded_pool_allocator.h"
# include "gwp_asan/optional/options_parser.h"
#endif // GWP_ASAN_HOOKS
#include <errno.h> #include <errno.h>
#include <string.h> #include <string.h>
namespace __scudo { namespace __scudo {
// Global static cookie, initialized at start-up. // Global static cookie, initialized at start-up.
static u32 Cookie; static u32 Cookie;
▲ Show 20 LinesShow All 172 Lines▼ Show 20 Lines
typedef QuarantineT::Cache QuarantineCacheT; typedef QuarantineT::Cache QuarantineCacheT;
COMPILER_CHECK(sizeof(QuarantineCacheT) <= COMPILER_CHECK(sizeof(QuarantineCacheT) <=
sizeof(ScudoTSD::QuarantineCachePlaceHolder)); sizeof(ScudoTSD::QuarantineCachePlaceHolder));
QuarantineCacheT *getQuarantineCache(ScudoTSD *TSD) { QuarantineCacheT *getQuarantineCache(ScudoTSD *TSD) {
return reinterpret_cast<QuarantineCacheT *>(TSD->QuarantineCachePlaceHolder); return reinterpret_cast<QuarantineCacheT *>(TSD->QuarantineCachePlaceHolder);
} }
#ifdef GWP_ASAN_HOOKS
static gwp_asan::GuardedPoolAllocator GuardedAlloc;
#endif // GWP_ASAN_HOOKS
struct Allocator { struct Allocator {
static const uptr MaxAllowedMallocSize = static const uptr MaxAllowedMallocSize =
FIRST_32_SECOND_64(2UL << 30, 1ULL << 40); FIRST_32_SECOND_64(2UL << 30, 1ULL << 40);
BackendT Backend; BackendT Backend;
QuarantineT Quarantine; QuarantineT Quarantine;
u32 QuarantineChunksUpToSize; u32 QuarantineChunksUpToSize;
▲ Show 20 LinesShow All 62 Lines▼ Show 20 Linesstruct Allocator {
} }
NOINLINE bool isRssLimitExceeded(); NOINLINE bool isRssLimitExceeded();
// Allocates a chunk. // Allocates a chunk.
void *allocate(uptr Size, uptr Alignment, AllocType Type, void *allocate(uptr Size, uptr Alignment, AllocType Type,
bool ForceZeroContents = false) { bool ForceZeroContents = false) {
initThreadMaybe(); initThreadMaybe();
#ifdef GWP_ASAN_HOOKS
if (UNLIKELY(GuardedAlloc.shouldSample())) {
if (void *Ptr = GuardedAlloc.allocate(Size))
return Ptr;
}
#endif // GWP_ASAN_HOOKS
if (UNLIKELY(Alignment > MaxAlignment)) { if (UNLIKELY(Alignment > MaxAlignment)) {
if (AllocatorMayReturnNull()) if (AllocatorMayReturnNull())
return nullptr; return nullptr;
reportAllocationAlignmentTooBig(Alignment, MaxAlignment); reportAllocationAlignmentTooBig(Alignment, MaxAlignment);
} }
if (UNLIKELY(Alignment < MinAlignment)) if (UNLIKELY(Alignment < MinAlignment))
Alignment = MinAlignment; Alignment = MinAlignment;
▲ Show 20 LinesShow All 127 Lines▼ Show 20 Lines void deallocate(void *Ptr, uptr DeleteSize, uptr DeleteAlignment,
// where the only heap operation performed in a thread would be a free past // where the only heap operation performed in a thread would be a free past
// the TLS destructors, ending up in initialized thread specific data never // the TLS destructors, ending up in initialized thread specific data never
// being destroyed properly. Any other heap operation will do a full init. // being destroyed properly. Any other heap operation will do a full init.
initThreadMaybe(/*MinimalInit=*/true); initThreadMaybe(/*MinimalInit=*/true);
if (SCUDO_CAN_USE_HOOKS && &__sanitizer_free_hook) if (SCUDO_CAN_USE_HOOKS && &__sanitizer_free_hook)
__sanitizer_free_hook(Ptr); __sanitizer_free_hook(Ptr);
if (UNLIKELY(!Ptr)) if (UNLIKELY(!Ptr))
return; return;
#ifdef GWP_ASAN_HOOKS
if (UNLIKELY(GuardedAlloc.pointerIsMine(Ptr))) {
GuardedAlloc.deallocate(Ptr);
return;
}
#endif // GWP_ASAN_HOOKS
if (UNLIKELY(!Chunk::isAligned(Ptr))) if (UNLIKELY(!Chunk::isAligned(Ptr)))
dieWithMessage("misaligned pointer when deallocating address %p\n", Ptr); dieWithMessage("misaligned pointer when deallocating address %p\n", Ptr);
UnpackedHeader Header; UnpackedHeader Header;
Chunk::loadHeader(Ptr, &Header); Chunk::loadHeader(Ptr, &Header);
if (UNLIKELY(Header.State != ChunkAllocated)) if (UNLIKELY(Header.State != ChunkAllocated))
dieWithMessage("invalid chunk state when deallocating address %p\n", Ptr); dieWithMessage("invalid chunk state when deallocating address %p\n", Ptr);
if (DeallocationTypeMismatch) { if (DeallocationTypeMismatch) {
// The deallocation type has to match the allocation one. // The deallocation type has to match the allocation one.
Show All 13 Lines#endif // GWP_ASAN_HOOKS
(void)DeleteAlignment; // TODO(kostyak): verify that the alignment matches. (void)DeleteAlignment; // TODO(kostyak): verify that the alignment matches.
quarantineOrDeallocateChunk(Ptr, &Header, Size); quarantineOrDeallocateChunk(Ptr, &Header, Size);
} }
// Reallocates a chunk. We can save on a new allocation if the new requested // Reallocates a chunk. We can save on a new allocation if the new requested
// size still fits in the chunk. // size still fits in the chunk.
void *reallocate(void *OldPtr, uptr NewSize) { void *reallocate(void *OldPtr, uptr NewSize) {
initThreadMaybe(); initThreadMaybe();
#ifdef GWP_ASAN_HOOKS
if (UNLIKELY(GuardedAlloc.pointerIsMine(OldPtr))) {
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Just checking, does reallocate() have the same semantics as realloc() where NewSize == 0 means free? And does allocate(0) always return nullptr in that case?

vlad.tsyrklevich: Just checking, does reallocate() have the same semantics as realloc() where NewSize == 0 means…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Yep - have also added a unit test for this. Note that C++11 changed this behaviour, and made it implementation defined.

hctim: Yep - have also added a unit test for this. Note that C++11 changed this behaviour, and made it…
size_t OldSize = GuardedAlloc.getSize(OldPtr);
void *NewPtr = allocate(NewSize, MinAlignment, FromMalloc);
if (NewPtr)
memcpy(NewPtr, OldPtr, (NewSize < OldSize) ? NewSize : OldSize);
GuardedAlloc.deallocate(OldPtr);
return NewPtr;
}
#endif // GWP_ASAN_HOOKS
if (UNLIKELY(!Chunk::isAligned(OldPtr))) if (UNLIKELY(!Chunk::isAligned(OldPtr)))
dieWithMessage("misaligned address when reallocating address %p\n", dieWithMessage("misaligned address when reallocating address %p\n",
OldPtr); OldPtr);
UnpackedHeader OldHeader; UnpackedHeader OldHeader;
Chunk::loadHeader(OldPtr, &OldHeader); Chunk::loadHeader(OldPtr, &OldHeader);
if (UNLIKELY(OldHeader.State != ChunkAllocated)) if (UNLIKELY(OldHeader.State != ChunkAllocated))
dieWithMessage("invalid chunk state when reallocating address %p\n", dieWithMessage("invalid chunk state when reallocating address %p\n",
OldPtr); OldPtr);
Show All 25 Lines#endif // GWP_ASAN_HOOKS
return NewPtr; return NewPtr;
} }
// Helper function that returns the actual usable size of a chunk. // Helper function that returns the actual usable size of a chunk.
uptr getUsableSize(const void *Ptr) { uptr getUsableSize(const void *Ptr) {
initThreadMaybe(); initThreadMaybe();
if (UNLIKELY(!Ptr)) if (UNLIKELY(!Ptr))
return 0; return 0;
#ifdef GWP_ASAN_HOOKS
if (UNLIKELY(GuardedAlloc.pointerIsMine(Ptr)))
return GuardedAlloc.getSize(Ptr);
#endif // GWP_ASAN_HOOKS
UnpackedHeader Header; UnpackedHeader Header;
Chunk::loadHeader(Ptr, &Header); Chunk::loadHeader(Ptr, &Header);
// Getting the usable size of a chunk only makes sense if it's allocated. // Getting the usable size of a chunk only makes sense if it's allocated.
if (UNLIKELY(Header.State != ChunkAllocated)) if (UNLIKELY(Header.State != ChunkAllocated))
dieWithMessage("invalid chunk state when sizing address %p\n", Ptr); dieWithMessage("invalid chunk state when sizing address %p\n", Ptr);
return Chunk::getUsableSize(Ptr, &Header); return Chunk::getUsableSize(Ptr, &Header);
} }
▲ Show 20 LinesShow All 106 Lines▼ Show 20 Lines
static Allocator Instance(LINKER_INITIALIZED); static Allocator Instance(LINKER_INITIALIZED);
static BackendT &getBackend() { static BackendT &getBackend() {
return Instance.Backend; return Instance.Backend;
} }
void initScudo() { void initScudo() {
Instance.init(); Instance.init();
#ifdef GWP_ASAN_HOOKS
gwp_asan::options::initOptions();
GuardedAlloc.init(gwp_asan::options::getOptions());
#endif // GWP_ASAN_HOOKS
} }
void ScudoTSD::init() { void ScudoTSD::init() {
getBackend().initCache(&Cache); getBackend().initCache(&Cache);
memset(QuarantineCachePlaceHolder, 0, sizeof(QuarantineCachePlaceHolder)); memset(QuarantineCachePlaceHolder, 0, sizeof(QuarantineCachePlaceHolder));
} }
void ScudoTSD::commitBack() { void ScudoTSD::commitBack() {
▲ Show 20 LinesShow All 133 LinesShow Last 20 Lines

compiler-rt/test/gwp_asan/CMakeLists.txt

set(GWP_ASAN_LIT_SOURCE_DIR ${CMAKE_CURRENT_SOURCE_DIR}) set(GWP_ASAN_LIT_SOURCE_DIR ${CMAKE_CURRENT_SOURCE_DIR})
set(GWP_ASAN_LIT_BINARY_DIR ${CMAKE_CURRENT_BINARY_DIR}) set(GWP_ASAN_LIT_BINARY_DIR ${CMAKE_CURRENT_BINARY_DIR})
set(GWP_ASAN_TESTSUITES) set(GWP_ASAN_TESTSUITES)
set(GWP_ASAN_UNITTEST_DEPS) set(GWP_ASAN_UNITTEST_DEPS)
set(GWP_ASAN_TEST_DEPS set(GWP_ASAN_TEST_DEPS
${SANITIZER_COMMON_LIT_TEST_DEPS} ${SANITIZER_COMMON_LIT_TEST_DEPS}
gwp_asan) gwp_asan
scudo)
# Longstanding issues in the Android test runner means that compiler-rt unit # Longstanding issues in the Android test runner means that compiler-rt unit
# tests don't work on Android due to libc++ link-time issues. Looks like the # tests don't work on Android due to libc++ link-time issues. Looks like the
# exported libc++ from the Android NDK is x86-64, even though it's part of the # exported libc++ from the Android NDK is x86-64, even though it's part of the
# ARM[64] toolchain... See similar measures for ASan and sanitizer-common that # ARM[64] toolchain... See similar measures for ASan and sanitizer-common that
# disable unit tests for Android. # disable unit tests for Android.
if (COMPILER_RT_INCLUDE_TESTS AND COMPILER_RT_HAS_GWP_ASAN AND NOT ANDROID) if (COMPILER_RT_INCLUDE_TESTS AND COMPILER_RT_HAS_GWP_ASAN AND NOT ANDROID)
list(APPEND GWP_ASAN_TEST_DEPS GwpAsanUnitTests) list(APPEND GWP_ASAN_TEST_DEPS GwpAsanUnitTests)
Show All 33 Lines

compiler-rt/test/gwp_asan/double_delete.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Double free occurred when trying to free memory at:
#include <cstdlib>
int main() {
char *Ptr = new char;
delete Ptr;
delete Ptr;
return 0;
}

compiler-rt/test/gwp_asan/double_deletea.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Double free occurred when trying to free memory at:
#include <cstdlib>
int main() {
char *Ptr = new char[50];
delete[] Ptr;
delete[] Ptr;
return 0;
}

compiler-rt/test/gwp_asan/double_free.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Double free occurred when trying to free memory at:
#include <cstdlib>
int main() {
void *Ptr = malloc(10);
free(Ptr);
free(Ptr);
return 0;
}

compiler-rt/test/gwp_asan/dummy_test.cc

  • This file was deleted.
// Exists to simply stop warnings about lit not discovering any tests here.
// RUN: %clang %s -o %s.o
int main() { return 0; }

compiler-rt/test/gwp_asan/heap_buffer_overflow.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: %expect_crash %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Buffer overflow occurred when accessing memory at:
// CHECK: is located {{[0-9]+}} bytes to the right
#include <cstdlib>
#include "page_size.h"
int main() {
char *Ptr =
reinterpret_cast<char *>(malloc(pageSize()));
volatile char x = *(Ptr + pageSize());
return 0;
}

compiler-rt/test/gwp_asan/heap_buffer_underflow.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: %expect_crash %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Buffer underflow occurred when accessing memory at:
// CHECK: is located 1 bytes to the left
#include <cstdlib>
#include "page_size.h"
int main() {
char *Ptr =
reinterpret_cast<char *>(malloc(pageSize()));
volatile char x = *(Ptr - 1);
return 0;
}

compiler-rt/test/gwp_asan/invalid_free_left.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

This uses not while the others above use %expect_crash, you probably want %expect_crash here too and in the other places you use not?

vlad.tsyrklevich: This uses not while the others above use %expect_crash, you probably want %expect_crash here…
hctimAuthorUnsubmitted
Not Done
ReplyInline Actions

So at the moment, invalid free/double free are detected internally, and terminate through exit(EXIT_FAILURE). The tests with %expect_crash are the ones which terminate through a segv signal ($? == 127).

This is mirroring the behaviour of scudo, where they exit(EXIT_FAILURE) on checksum failure or other error conditions. What might be better though, is when we detect a failure condition internally, we raise a signal. This would allow platforms like Android to still have their special death handlers run.

@morehouse - WDYT? I would say that I'd prefer to raise a signal internally-detected error. I'm not sure that raising SEGV is appropriate here, and it would also increase the complexity of the logic (we'd have to reinstate the previous SEGV handler first). Maybe SIGTRAP or SIGABRT?

hctim: So at the moment, invalid free/double free are detected internally, and terminate through `exit…
morehouseUnsubmitted
Not Done
ReplyInline Actions

FWIW, we trigger a SEGV in Google3 by touching the freed page. Not sure if it's the best approach, but it simplified the error handling a bit. Allows everything to go through SEGV handler and then forward to the previous handers, rather than having to implement multiple flows for different errors. Also gives the address of the double-free to previous handlers for them to inspect.

morehouse: FWIW, we trigger a SEGV in Google3 by touching the freed page. Not sure if it's the best…
// CHECK: GWP-ASan detected a memory error
// CHECK: Invalid (wild) free occurred when trying to free memory at:
// CHECK: is located 1 bytes to the left of
#include <cstdlib>
int main() {
char *Ptr =
reinterpret_cast<char *>(malloc(1));
free(Ptr - 1);
return 0;
}

compiler-rt/test/gwp_asan/invalid_free_right.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Invalid (wild) free occurred when trying to free memory at:
// CHECK: is located 1 bytes to the right
#include <cstdlib>
int main() {
char *Ptr =
reinterpret_cast<char *>(malloc(1));
free(Ptr + 1);
return 0;
}

compiler-rt/test/gwp_asan/lit.cfg

Show All 14 Lines
c_flags = ([config.target_cflags]) c_flags = ([config.target_cflags])
# Android doesn't want -lrt. # Android doesn't want -lrt.
if not config.android: if not config.android:
c_flags += ["-lrt"] c_flags += ["-lrt"]
cxx_flags = (c_flags + config.cxx_mode_flags + ["-std=c++11"]) cxx_flags = (c_flags + config.cxx_mode_flags + ["-std=c++11"])
gwp_asan_flags = ["-fsanitize=scudo"]
def build_invocation(compile_flags): def build_invocation(compile_flags):
return " " + " ".join([config.clang] + compile_flags) + " " return " " + " ".join([config.clang] + compile_flags) + " "
# Add substitutions. # Add substitutions.
config.substitutions.append(("%clang ", build_invocation(c_flags))) config.substitutions.append(("%clang ", build_invocation(c_flags)))
config.substitutions.append(("%clang_gwp_asan ", build_invocation(c_flags + gwp_asan_flags)))
config.substitutions.append(("%clangxx_gwp_asan ", build_invocation(cxx_flags + gwp_asan_flags)))
# Platform-specific default GWP_ASAN for lit tests. Ensure that GWP-ASan is
# enabled and that it samples every allocation.
default_gwp_asan_options = 'Enabled=1:SampleRate=1'
config.environment['GWP_ASAN_OPTIONS'] = default_gwp_asan_options
default_gwp_asan_options += ':'
config.substitutions.append(('%env_gwp_asan_options=',
'env GWP_ASAN_OPTIONS=' + default_gwp_asan_options))
# GWP-ASan tests are currently supported on Linux only. # GWP-ASan tests are currently supported on Linux only.
if config.host_os not in ['Linux']: if config.host_os not in ['Linux']:
config.unsupported = True config.unsupported = True

compiler-rt/test/gwp_asan/page_size.h

  • This file was added.
#ifndef PAGE_SIZE_
#define PAGE_SIZE_
#if defined (__unix__) || (defined (__APPLE__) && defined (__MACH__))
# include <unistd.h>
unsigned pageSize() {
return sysconf(_SC_PAGESIZE);
}
#else
# error "GWP-ASan is not supported on this platform."
#endif
#endif // PAGE_SIZE_

compiler-rt/test/gwp_asan/realloc.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t -DTEST_MALLOC
// RUN: not %run %t 2>&1 | FileCheck %s --check-prefix CHECK-MALLOC
// Check both C++98 and C.
// RUN: %clangxx_gwp_asan -std=c++98 %s -o %t -DTEST_FREE
// RUN: %expect_crash %run %t 2>&1 | FileCheck %s --check-prefix CHECK-FREE
// RUN: cp %s %t.c && %clang_gwp_asan %t.c -o %t -DTEST_FREE
// RUN: %expect_crash %run %t 2>&1 | FileCheck %s --check-prefix CHECK-FREE
// Ensure GWP-ASan stub implementation of realloc() in Scudo works to-spec. In
// particular, the behaviour regarding realloc of size zero is interesting, as
// it's defined as free().
#include <stdlib.h>
int main() {
#if defined(TEST_MALLOC)
// realloc(nullptr, size) is equivalent to malloc(size).
char *Ptr = reinterpret_cast<char *>(realloc(nullptr, 1));
*Ptr = 0;
// Trigger an INVALID_FREE to the right.
free(Ptr + 1);
// CHECK-MALLOC: GWP-ASan detected a memory error
// CHECK-MALLOC: Invalid (wild) free occurred when trying to free memory at:
// CHECK-MALLOC: is located 1 bytes to the right of a 1-byte allocation
#elif defined(TEST_FREE)
char *Ptr = (char *) malloc(1);
// realloc(ptr, 0) is equivalent to free(ptr) and must return nullptr. Note
// that this is only the specification in C++98 and C.
if (realloc(Ptr, 0) != NULL) {
}
// Trigger a USE_AFTER_FREE.
*Ptr = 0;
// CHECK-FREE: GWP-ASan detected a memory error
// CHECK-FREE: Use after free occurred when accessing memory at:
// CHECK-FREE: is a 1-byte allocation
#endif
return 0;
}

compiler-rt/test/gwp_asan/repeated_alloc.cpp

  • This file was added.
// REQUIRES: gwp_asan
// This test ensures that normal allocation/memory access/deallocation works
// as expected and we didn't accidentally break the supporting allocator.
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: %env_gwp_asan_options=MaxSimultaneousAllocations=1 %run %t
// RUN: %env_gwp_asan_options=MaxSimultaneousAllocations=2 %run %t
// RUN: %env_gwp_asan_options=MaxSimultaneousAllocations=11 %run %t
// RUN: %env_gwp_asan_options=MaxSimultaneousAllocations=12 %run %t
// RUN: %env_gwp_asan_options=MaxSimultaneousAllocations=13 %run %t
#include <cstdlib>
int main() {
void* Pointers[16];
for (unsigned i = 0; i < 16; ++i) {
char *Ptr = reinterpret_cast<char*>(malloc(1 << i));
Pointers[i] = Ptr;
*Ptr = 0;
Ptr[(1 << i) - 1] = 0;
}
for (unsigned i = 0; i < 16; ++i) {
free(Pointers[i]);
}
return 0;
}

compiler-rt/test/gwp_asan/use_after_delete.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: %expect_crash %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Use after free occurred when accessing memory at:
#include <cstdlib>
int main() {
char *Ptr = new char;
*Ptr = 0x0;
delete Ptr;
volatile char x = *Ptr;
return 0;
}

compiler-rt/test/gwp_asan/use_after_deletea.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: %expect_crash %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Use after free occurred when accessing memory at:
#include <cstdlib>
int main() {
char *Ptr = new char[10];
for (unsigned i = 0; i < 10; ++i) {
*(Ptr + i) = 0x0;
}
delete[] Ptr;
volatile char x = *Ptr;
return 0;
}

compiler-rt/test/gwp_asan/use_after_free.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: %expect_crash %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Use after free occurred when accessing memory at:
#include <cstdlib>
int main() {
char *Ptr = reinterpret_cast<char *>(malloc(10));
for (unsigned i = 0; i < 10; ++i) {
*(Ptr + i) = 0x0;
}
free(Ptr);
volatile char x = *Ptr;
return 0;
}

compiler-rt/test/lit.common.cfg

Show First 20 LinesShow All 233 Lines▼ Show 20 Linesif config.has_lld:
config.available_features.add('lld-available') config.available_features.add('lld-available')
if config.use_lld: if config.use_lld:
config.available_features.add('lld') config.available_features.add('lld')
if config.can_symbolize: if config.can_symbolize:
config.available_features.add('can-symbolize') config.available_features.add('can-symbolize')
if config.gwp_asan:
config.available_features.add('gwp_asan')
lit.util.usePlatformSdkOnDarwin(config, lit_config) lit.util.usePlatformSdkOnDarwin(config, lit_config)
if config.host_os == 'Darwin': if config.host_os == 'Darwin':
osx_version = (10, 0, 0) osx_version = (10, 0, 0)
try: try:
osx_version = subprocess.check_output(["sw_vers", "-productVersion"]) osx_version = subprocess.check_output(["sw_vers", "-productVersion"])
osx_version = tuple(int(x) for x in osx_version.split('.')) osx_version = tuple(int(x) for x in osx_version.split('.'))
if len(osx_version) == 2: osx_version = (osx_version[0], osx_version[1], 0) if len(osx_version) == 2: osx_version = (osx_version[0], osx_version[1], 0)
▲ Show 20 LinesShow All 245 LinesShow Last 20 Lines

compiler-rt/test/lit.common.configured.in

Show All 35 Lines
set_default("use_thinlto", False) set_default("use_thinlto", False)
set_default("use_lto", config.use_thinlto) set_default("use_lto", config.use_thinlto)
set_default("use_newpm", False) set_default("use_newpm", False)
set_default("android", @ANDROID_PYBOOL@) set_default("android", @ANDROID_PYBOOL@)
set_default("android_ndk_version", @ANDROID_NDK_VERSION@) set_default("android_ndk_version", @ANDROID_NDK_VERSION@)
set_default("android_serial", "@ANDROID_SERIAL_FOR_TESTING@") set_default("android_serial", "@ANDROID_SERIAL_FOR_TESTING@")
set_default("android_files_to_push", []) set_default("android_files_to_push", [])
set_default("have_rpc_xdr_h", @HAVE_RPC_XDR_H@) set_default("have_rpc_xdr_h", @HAVE_RPC_XDR_H@)
set_default("gwp_asan", @COMPILER_RT_HAS_GWP_ASAN_PYBOOL@)
config.available_features.add('target-is-%s' % config.target_arch) config.available_features.add('target-is-%s' % config.target_arch)
if config.enable_per_target_runtime_dir: if config.enable_per_target_runtime_dir:
set_default("target_suffix", "") set_default("target_suffix", "")
else: else:
set_default("target_suffix", "-%s" % config.target_arch) set_default("target_suffix", "-%s" % config.target_arch)
set_default("have_zlib", "@HAVE_LIBZ@") set_default("have_zlib", "@HAVE_LIBZ@")
Show All 17 Lines

compiler-rt/test/scudo/lit.cfg

Show First 20 LinesShow All 43 Lines▼ Show 20 Lines
config.substitutions.append(("%shared_minlibscudo", shared_minlibscudo)) config.substitutions.append(("%shared_minlibscudo", shared_minlibscudo))
# Platform-specific default SCUDO_OPTIONS for lit tests. # Platform-specific default SCUDO_OPTIONS for lit tests.
default_scudo_opts = '' default_scudo_opts = ''
if config.android: if config.android:
# Android defaults to abort_on_error=1, which doesn't work for us. # Android defaults to abort_on_error=1, which doesn't work for us.
default_scudo_opts = 'abort_on_error=0' default_scudo_opts = 'abort_on_error=0'
# Disable GWP-ASan for scudo internal tests.
if config.gwp_asan:
config.environment['GWP_ASAN_OPTIONS'] = 'Enabled=0'
cryptoadUnsubmitted
Done
ReplyInline Actions

nit: do you need the extra variable?

cryptoad: nit: do you need the extra variable?
if default_scudo_opts: if default_scudo_opts:
config.environment['SCUDO_OPTIONS'] = default_scudo_opts config.environment['SCUDO_OPTIONS'] = default_scudo_opts
default_scudo_opts += ':' default_scudo_opts += ':'
config.substitutions.append(('%env_scudo_opts=', config.substitutions.append(('%env_scudo_opts=',
'env SCUDO_OPTIONS=' + default_scudo_opts)) 'env SCUDO_OPTIONS=' + default_scudo_opts))
# Hardened Allocator tests are currently supported on Linux only. # Hardened Allocator tests are currently supported on Linux only.
if config.host_os not in ['Linux']: if config.host_os not in ['Linux']:
config.unsupported = True config.unsupported = True
compiler-rt/test/gwp_asan/double_deletea.cpp